Feds Investigate Password Requests
U.S. Senators Richard Blumenthal and Charles E. Schumer today called on the U.S. Equal Employment Opportunity Commission (EEOC) and the U.S. Department of Justice (DOJ) to launch a federal investigation into a new disturbing trend of employers demanding job applicants turn over their user names and passwords for social networking and email websites to gain access to personal information like private photos, email messages, and biographical data that is otherwise deemed private.
According to recent reports, certain employers in New York and across the country are demanding the information from job applicants as part of the interview process – including photos and personal messages not shared with anyone else. Blumenthal and Schumer argued that this disturbing practice represents a grave intrusion into personal privacy that could set a dangerous precedent for personal privacy and online privacy, make it more difficult for Americans to get jobs, and expose employers to discrimination claims. Today, in letters to the EEOC and the DOJ, Blumenthal and Schumer called for a federal investigation into whether the practice is illegal under federal law.
"I am alarmed and outraged by rapidly and widely spreading employer practices seeking access to Facebook passwords or confidential information on other social networks,” said Blumenthal. “A ban on these practices is necessary to stop unreasonable and unacceptable invasions of privacy. An investigation by the Department of Justice and Equal Employment Opportunity Commission will help remedy ongoing intrusions and coercive practices, while we draft new statutory protections to clarify and strengthen the law. With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information.”
“Employers have no right to ask job applicants for their house keys or to read their diaries – why should they be able to ask them for their Facebook passwords and gain unwarranted access to a trove of private information about what we like, what messages we send to people, or who we are friends with?” said Schumer. “In an age where more and more of our personal information – and our private social interactions – are online, it is vital that all individuals be allowed to determine for themselves what personal information they want to make public and protect personal information from their would-be employers. This is especially important during the job-seeking process, when all the power is on one side of the fence. Before this disturbing practice becomes widespread, we must have an immediate investigation into whether the practice violates federal law – I’m confident the investigation will show it does. Facebook agrees, and I’m sure most Americans agree, that employers have no business asking for your Facebook password.”
According to recent reports, employers are beginning to ask prospective employees for their Facebook passwords as part of the interview process before they are hired. In one case, the Associated Press reported a New York City statistician was asked for his Facebook user name and password so that the employer could review private components of his profile as part of the interview process for the job he was applying for. At least two other cases were identified where individuals who were applying for jobs were required to turn over Facebook passwords and user names in order to be considered for the job they were applying for, as well as a city that, until recently, required job applicants to provide access to their email accounts.
Facebook itself came out against the practice on Friday. In a post on its website, the social networking site said it was a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password. Facebook noted that the practice “undermines the privacy expectation and the security of both the user and the user’s friends” and could expose employers to lawsuits by exposing themselves to claims of discrimination if the employer discovers the individual is a member of a protected group (e.g., over a certain age) and then don’t hire that person.
In their letter to the EEOC, Blumenthal and Schumer specifically raised concerns that by requiring applicants to provide login credentials to social networking sites, employers will have access to private, protected information that may be impermissible to consider when making hiring decisions and may be used to unlawfully discriminate against otherwise qualified applicants. Blumenthal and Schumer both made clear that comprehensive background checks for individuals are sometimes needed when seeking employment in law enforcement, at highly sensitive infrastructure sites, and with jobs where there is significant access to vulnerable populations. The senators pointed out, however, that requiring prospective employees turn over Facebook and social media user names and passwords, essentially granting access to private information that is not otherwise made public, could very well give employers information they otherwise cannot ask about, such as religion, age, marital status, pregnancy status, and a host of other protected classes that employers are not permitted to ask about or make hiring decisions based on.
In their letter to the Justice Department, Blumenthal and Schumer pointed out that two courts have found that when supervisors request employee login credentials, and access otherwise private information with those credentials, that those supervisors may be subject to civil liability. Although those two cases involved current employees, the courts’ reasoning does not clearly distinguish between employees and applicants. Pointing to Facebook terms of service and the civil case law, the senators urged DOJ to investigate and issue a legal opinion as to whether requesting and using prospective employees’ social network passwords violates current federal law.
Blumenthal and Schumer also announced that they are currently drafting legislation that would seek to fill any gaps in federal law that allow employers to require personal login information from prospective employees to be considered for a job. The senators noted they are seeking additional legal opinions, from both the EEOC and DOJ to determine what protections currently exist and what additional protections are necessary.
The senators noted that the new practice represents a grave threat to personal privacy and said that a federal investigation is warranted to determine whether the practice violates federal law. They argued that given the past case law, it would appear that the practice is a violation of personal privacy.
A copy of the letters from Blumenthal and Schumer can be found below.
"Dear Attorney General Holder,
We write concerning reports in the media that some employers are requiring job applicants to provide their usernames and passwords to social networking sites like Facebook as part of the hiring process.
We urge the DOJ to investigate whether this practice violates the Stored Communication Act or the Computer Fraud and Abuse Act. The SCA prohibits intentional access to electronic information without authorization or intentionally exceeding that authorization, 18 U.S.C. § 2701, and the CFAA prohibits intentional access to a computer without authorization to obtain information, 18 U.S.C. § 1030(a)(2)(C). Requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both SCA and the CFAA.
Two courts have found that when supervisors request employee login credentials, and access otherwise private information with those credentials, that those supervisors may be subject to civil liability under the SCA. See Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009); Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002). Although these cases involved current employees, the courts’ reasoning does not clearly distinguish between employees and applicants. Given Facebook terms of service and the civil case law, we strongly urge the Department to investigate and issue a legal opinion as to whether requesting and using prospective employees’ social network passwords violates current federal law."
"Dear EEOC Chair Berrien,
We write concerning reports in the media that some employers are requiring job applicants to provide their usernames and passwords to social networking sites like Facebook as part of the hiring process. By requiring applicants to provide login credentials to social networking and email sites, employers will have access to private, protected information that may be impermissible to consider when making hiring decisions. We are concerned that this information may be used to unlawfully discriminate against otherwise qualified applicants.
Facebook and other social networks allow users to control what information they expose to the public, but potential employers using login credentials can bypass these privacy protections. This allows employers to access private information, including personal communications, religious views, national origin, family history, gender, marital status, and age. If employers asked for some of this information directly, it would violate federal anti-discrimination law. We are concerned that collecting this sensitive information under the guise of a background check may simply be a pretext for discrimination.
We strongly urge the Commission to investigate and issue a legal opinion as to whether requesting and using prospective employees’ social network passwords violate current federal law."